reg-network-profiles
Retrieves a list of network profiles from a SOFTWARE registry hive file. You can view the profile name, category, type, and creation and last connection time of network adapters that have been connected to the system.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zippath=STR- Path to the ZIP file containing the registry hive file. When specified, reads the file matching
PATHfrom inside the ZIP archive. zipcharset=STR- Encoding for ZIP entry names (default:
utf-8)
Target
PATH- SOFTWARE registry hive file path. You can use a wildcard (
*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
| _file | string | Original file name |
| guid | string | Network profile GUID |
| profile_name | string | Network profile name |
| description | string | Network profile description |
| category | string | Network category. One of Public, Private, Domain Authenticated |
| category_id | integer | Network category ID. 0 (Public), 1 (Private), 2 (Domain Authenticated) |
| name_type | string | Network name type. One of Wired Network, VPN, Wireless Network, Mobile Broadband |
| name_type_id | integer | Network name type ID. 6 (Wired Network), 23 (VPN), 71 (Wireless Network), 243 (Mobile Broadband) |
| date_created | timestamp | Network profile creation time |
| date_last_connected | timestamp | Last connection time |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The reg-network-profiles command parses network profile entries from the Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles key in the Windows SOFTWARE registry hive file. Each profile contains the network name, category (Public/Private/Domain), type (wired/wireless/VPN, etc.), creation time, and last connection time.
In forensic analysis, the SOFTWARE hive file is typically located at C:\Windows\System32\config\SOFTWARE.
Examples
-
Retrieving network profiles from a SOFTWARE hive file
reg-network-profiles /opt/logpresso/evidence/SOFTWARERetrieves all network profiles from the specified SOFTWARE hive file.
-
Retrieving network profiles from a SOFTWARE hive inside a ZIP archive
reg-network-profiles zippath=/opt/logpresso/evidence/registry.zip SOFTWARERetrieves network profiles from the SOFTWARE hive file inside a ZIP archive.
-
Filtering wireless network profiles sorted by last connection time
reg-network-profiles /opt/logpresso/evidence/SOFTWARE | search name_type == "Wireless Network" | sort -date_last_connectedFilters to show only wireless network profiles and sorts them in descending order by last connection time.